Some of you that purchased a SSL Cert or had one included when you set up your new website, may still be showing the ‘i’ in a circle in the URL address box.

Why?

Well, have you ever clicked on that ‘i’? It stands for Information. When you click on it, it has a drop down window that shows what type of connection (secure, not fully secure and not secure), number of cookies that are used on that site. In this window, where it says that this is not a secure site, there is a word “Details” in blue and underlined. Click on it.

It opens a window on the right side of your browser screen. At the top of this screen is a toolbar with Elements, Console, Sources. . .Security.

Click Security. What do you see?

Well, it says I have a valid SSL Cert and the connection is secure. Then it says Mixed Content with a red dot?

That’s why. YOU have a secured site but you are offering links to other sites that do not have/purchased a SSL Cert.

But I thought I was good to go by purchasing/having a SSL Cert. Well, in a sense you are correct.

This is saying that you have linked to a site that does not have a secure site. Or are utilizing an image with a link back to an insecure site.

But, But. . . ah damn, I have a headache now!

All’s well my friends! Give it some time. They will work the kinks/bugs out.

Is my site an e-commerce site the collects credit card information? If Yes, than yes you absolutely should have a cert!!

Do I use a 3rd Party payment processor? If your e-commerce site forwards your visitors to a 3rd party payment processor (like PayPal) to enter the credit card information then you don’t need an SSL certificate because your website won’t touch the credit card information.

Do I have a login form? If your users enter a username and password to login to your site without an SSL certificate, an attacker can easily see their username and password in clear text.

Now your saying: I don’t met any of this criteria. I do have a Newsletter form or a Quote form where I do ask for an email address and name.

No Problem, this is public information and does not meet Industry standards.

Ok, so if I don’t meet the basic criteria and it’s public info, What’s the big deal and why am I being asked to get one?

Well, The Industry is pushing and upgrading to a more secure internet. Predominately over the last few years with all the hacks/leaks/Ddos/phishing/man-in-the-middle attacks that has been covered in the Media. As well as “Big Brother is watching”. So by going to an encrypted secure internet there’s less chance of any of these happening. A lot of this has been happening behind the scenes that most web users really haven’t been aware of other than their browser has released a new update.

And you have now noticed the little green padlock or the whole URL address window is green or red. That was the beginning. Companies started making the move to HTTPS. You have probably seen this for your Financial Institution. You may have noticed that your Facebook URL has a green padlock.

But you ask, wait didn’t you say in your last post that SSL Certs are not created equal? Why, yes, yes I did, thanks for remembering. They are not! But remember, the criteria to get the Green Address Bar is very stringent.

Again you say: But I still don’t meet the standard.

True.

There does seem to be a BIG industry push to purchase an SSL, especially with Google soon to be released Chrome 56. Where they are enacting a stricter criteria for the Green Lock, hence a SSL Cert and touting that it will also give you a higher ranking. BUT if you watched the video in my Post: Why am I receiving email. . . .you saw and heard from Google itself that at this point it is small. And as a I am on both sides of the fence by being a website owner and that I design websites, I know first hand how it is coveted to be on the first page for a Google Rank. But, I also understand that there are x amount of slots on the first page AND that in the last couple years those slots have lowered due to GOOGLE ADS!

In today’s fast paced world, of course you do not want to have to go 15 pages deep to find what you are looking for but have you actually stopped and taken a look at that page? 4 ADS, next top 3 websites listed are the companies with those Ads, and then a sprinkling of what you where searching and at the bottom MORE ADS! It’s frustrating sometimes with all those ADS and I still go 15 pages deep to find what I am looking for.

WordPress Websites & Blogs:

How does this pertain to my WordPress Admin log in?

If you purchased a ‘Managed’ WordPress hosting it may have come with an SSL and that covers your log in page for your admin as well as showing the ‘Green’ lock in the address window. Please note that there could possibly be an annual fee for the SSL Cert. Check your account with your Hosting Company.
If you do not have a SSL for your site, there are numerous Plug-ins available to help protect against your login page getting hacked. I personally install a Limit Login Attempt plug in on all my customers sites, even if they have a SSL.
WordPress itself also has it’s own security features covered here https://wordpress.org/about/security/

Now you should have an even bigger eye-crossing basic understanding. I cannnot answer the question ‘Should I get one?’ You need to assess your business, on-line presence and your business/hobby goals.

There does seem to be a BIG industry push to purchase an SSL, especially with Google soon to be released Chrome 56.

In my research, there’s a lot of talk about a ‘more secure web’. At this point, I am asking myself ‘Shouldn’t encryption be a standard feature with my Hosting/Domain?’

Shouldn’t I be able to reasonably expect that if I have my website on their server, that their server is secure and encrypted to talk to browsers and if I installed a Malware Protector like SiteLock shouldn’t that also improve my security standing without having to purchase a SSL? Especially when I purchased my malware protector through my hosting?

My concern is that I now must make this same decision myself. So, once Chrome updates sometime in January 2017, my site will now have a red lock. And I ask the basic question: Do I collect customer credit card info, username/passwords, provide e-commerce, etc on my site? The answer is no.
So all the reasons, should take into account, how does this apply to you comes crashing into a big brick wall with the question: How does this affect us little guys? The answer: MONETARILY!! According to their standards, I do not need an SSL. But yet, with “new improved security standards” I now need to buy into ‘The industry’.

As in all things, BUYER BEWARE!!! Ask questions, pay attention to links you click on whether on a website or in your email. Not sure about a link? READ THE LINK ADDRESS! Copy it and put in a new browser window to verify. Looks like it came from a Company you do business with? Go to that Company’s website with a direct url.

Not all SSL’s are created equal. There are 6 versions that I have found:

EV Certs: An EV Certificate is a new type of certificate that is designed to prevent phishing attacks better than normal SSL certificates. What makes an EV Certificate so special? An SSL Certificate Provider has to do some extensive validation to give you one including:

Verifying that your organization is legally registered and active

Verifying the address and phone number of your organization

Verifying that your organization has exclusive right to use the domain specified in the EV Certificate

Verifying that the person ordering the certificate has been authorized by the organization

Verifying that your organization is not on any government blacklists

UC/San Certs: A Multi-Domain SSL certificate, also known as a UCC, Unified Communications, or SAN certificate, is a type of certificate that uses Subject Alternative Names to secure multiple host names. Any number of different domain names can be included in the SAN field of the certificate enabling the certificate to work on any of the included domain names. For example, you could get one UC SSL Certificate to cover all of the following:

mydomain.com

mail.mydomain.com

autodiscover.mydomain.com

anotherdomain.com

Wild Card Certs: SSL Wildcard CertificatesSSL Wildcard Certificates are big money-savers. An SSL Wildcard Certificate allows you to secure an unlimited number of first-level sub-domains on a single domain name. That means you can get an SSL Certificate with the common name as *.mydomain.com and you can use it on all of the following without receiving any errors:

www.mydomain.com

mail.mydomain.com

intranet.mydomain.com

secure.mydomain.com

Note: However, in most web browsers (including Internet Explorer) SSL Wildcard Certificates won’t work for multiple levels. This means that an SSL Certificate Wildcard for *.mydomain.com won’t work on www.mail.mydomain.com or site1.sitea.mydomain.com or my.ridiculously.long.subdomain.mydomain.com. The web browser will give a name mismatch error. If you need to secure multiple levels of subdomains or completely different domain names in one certificate, check out Unified Communications SSL Certificates.

Code Signing Certs: A code signing certificate is a file containing a digital signature that can be used to sign executables and scripts in order to verify your identity and ensure that your code has not been tampered with since it was signed. This helps your users to determine whether your software can be trusted.

A code signing certificate allows you to sign code using a private and public key system similar to how an SSL certificate secures a website.

DV Certs: Domain Validated SSL Certificates are no-frills, encryption-only certificates. In order to get a Domain Validated SSL Certificate you just have to prove that you own the domain by responding to an email or phone call using the information in the WHOIS record of the domain. It’s easy. Your company doesn’t have to be validated and no organization name is entered in the certificate. This is good and bad news.

Advantages:

Speed. You can usually get a fully-functioning certificate within minutes. No need to send in company validation documents.

Price. Because the process is automated and requires no validation from the certificate authority, these are the cheapest SSL certificates available.

Disadvantages:

Low assurance. Because your company is not validated, these certificates don’t help your visitors know who is running your site. If you have an e-commerce site, your potential buyers may be scared off.

Less secure. The certificates themselves still enable full, 128-bit encryption but there are other security problems. For one, any phisher can get one and can hide their identity completely. Second, they make man-in-the-middle attacks more dangerous. If an an attacker was able to do some DNS poisoning, he could get a Domain Validated SSL Certificate for your domain and redirect visitors to a fake site that allows him to collect visitor information.

domain validated certificates do almost nothing to verify that you are talking to who you think you are talking to.

So when should you use Domain Validated SSL Certificates?

They work well in situations where you don’t need to assure your visitors or where there is little chance of a man-in-the-middle attack such as on an internal server or on a mail server.

Shared SSL Certs: Shared SSLs are installed globally on the server, configured to be used from all users on the servers. and all clients can use it.

Advantage: Shared & Dv both fulfill the main goal of encrypting your site.

However, with a shared your url adddress could look like this: https://servername.yourhost.com vs with DV that would look like: http://yourname.com

Disadvantage: Your business name is not usually on the certificate. The person who bought the certificate (and you are sharing it with) usually appears. For some online shoppers, this might raise red flags. Another problem is that if the person who bought the SSL certificate lapses, you lapse as well, leaving your Web site vulnerable.

Since the Cert was generated in the hostname of the server, it will cause a certificate warning message pop up on your site when it used as it’s not matching the domain names.

Note: Some hosting companies offer a free shared SSL.

What is a certificate authority (CA)?

A certificate authority is an entity which issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined procedures. Every certification authority provides a Certification Practice Statement (CPS) that defines the procedures that will be used to verify applications. There are many commercial CAs that charge for their services (VeriSign). Institutions and governments may have their own CAs, and there are also free Certificate Authorities.Every certificate authority has different products, prices, SSL certificate features, and levels of customer satisfaction.

Note: The standards that all SSL providers have to follow to issue any version of a SSL Certificate were created and agreed upon by all the members of the CA/Browser Forum.

What is browser compatibility?

The certificate that you purchase to secure your web site must be digitally signed by another certificate that is already in the trusted store of your user’s web browser. By doing this, the web browser will automatically trust your certificate because it is issued by someone that it already trusts. If it isn’t signed by a trusted root certificate, or if links in the certificate chain are missing, then the web browser will give a warning message that the web site may not be trusted.
So browser compatibility means that the certificate you buy is signed by a root certificate that is already trusted by most web browsers that your customers may be using. Unless otherwise noted, the certificates from all major certificate providers listed on SSL Shopper are compatible with 99% of all browsers

So, now that your overloaded with that info, I’m going to stop here so you can chew on this information.

Customer: Why did I get this email? Why is it asking: Does your site pass Chrome’s security checks? and there’s a link to scan my site.

Well these are completely loaded questions and in doing research on this subject, I’m thinking it will need to be broken down into multiple posts over the next week.

Basically, Google is updating to Chrome 56. Within this there is a shift in the industry to start marking websites as Secure (green lock in url window), Secure (the whole url bar as green w/green lock) or a Not Secure in the url bar. Which we have already been seeing for some time and for some of the bigger companies, financial institutions & e-commerce sites. Especially with increase in all of the breaches/hacks/attacks that we have been hearing about over the last 2 years.

Excerpt from GoDaddy, more info:

When customers visit your website, they might check the URL in the browser bar to see if it’s a secure HTTPS, rather than HTTP, connection before entering their personal information. But Google research found that many people don’t check first for an HTTPS connection — putting themselves and their information inadvertently at risk, even on some of the world’s most trafficked websites .

The new Google Chrome Not Secure warning puts website security front-and-center.
When a page is loaded in Chrome 56, Google will look for forms that collect passwords and credit card numbers, plus check for valid SSL certificates that provide secure HTTPS connections.

Thus putting a green lock, green url address bar or not secure message in the Url address window which as stated above their research found that people don’t check?

What this means:

Websites that take in sensitive data but are not protected by SSL certificates will be flagged as “Not secure.”

Now Godaddy offers a Free Unsecure Form Scanner for your use. What does it do?

Scans your website for two things:

Forms that handle login or payment information.

The installation of an SSL certificate.

This determines whether your site will display the Google Chrome Not Secure warning message to visitors using the latest Chrome browser version.

Now this leads to the ‘Loaded” part:

If your CMS is web/browser based (WordPress, Wix, CMS Lite, and the list goes on) where in order to edit your website you have an Admin log-in window pop up and you do not have a SSL Cert, you will now be marked as Unsecure!

Ok, now your mind is racing with questions or comments:

I’m just a Blog

I don’t take Credit Card info, I send them to a third party (PayPal)

What’s a SSL

Where do I get one

But I’ve installed Sitelock, doesn’t that mean I’m secure

I thought my CMS log-in was secure and why would my admin page effect my security ranking if I don’t meet industry standards for a SSL

????????????????????????

Now what

Don’t Panic!

Remember above I called this an INDUSTRY? It’s a business. As website owners we know that the Internet is not FREE!

You have to pay to have internet connection

You need a computer or mobile device,

Which uses browsers/mobile apps to ‘talk’ to the internet

Which sells advertisement slots

The website you visit has to pay to be on the web

The website has to purchase/lease a name

The website has to be maintained and updated

So They have just ‘up ed’ the game to have your presence on the web.

The BIG QUESTION: Now What?

Do your research, call your hosting companies and ask questions.

I am not an expert on Security, so I can not advise you on what to do.

I can only give my opinion, which could be a big stinky onion to some, as they are a dime a dozen and everybody has one!

So check back as I do more research, add another layer to my Onion and try to answer some of your questions!

Was in the ‘Zone’ yesterday and designed 4 Friendship/Uplifting Memes. I call then Memes for a lack of a better term. Maybe ‘Quotes’ could work but some just aren’t really quoting anyone in particular?

So, after taking the plunge and making a FB page, I obviously didn’t want to have to type more than I have too. So I went on a search for a plug-in to use that would ‘automatically’ update my FB page when I do a post here on my website.

Blog25Social came up. It has a Free version as well as the paid Premium. The difference? Options.

Apparently there are key time frames to post to your social media and Premium will post for you during those parameters. I equate that to setting a time for a text to be sent vs. immediate.

In the Free version it is immediate.

But, there’s a but here. Once you have created your post in your Blog, you then have to go into the plug-in Dashboard and manually share. It doesn’t matter is you have the Free or Premium versions. Like I mentioned above, Premium just gives you the option to set a timer.

So, it’s not completely ‘automatic’. It’s just a couple mouse clicks so I guess that’s better than having to Cut&Paste or even re-typing.

Once you get the hang of it, it’s all good.

So, I will be on the hunt for a plug-in that could actually be ‘automatic’ or more user-friendly for a beginning Blogger with limited experience.